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Introduction 

The  purpose  of  this  paper  is  to  describe  some  of  the  factors  which  been  influencing  the  way  in 
which  the  UK  Navy  safety  authorities  judge  the  safety  of  Naval  armament  Stores.  This 
judgement  has  been,  and  will  remain,  largely  a  question  of  the  safety  authorities  acquiring 
sufficient  confidence  that  the  store  is  and  will  remain  safe  throughout  its  life  in  a  specified 
environment. 

This  confidence  is  derived  from  a  variety  of  different  sources  (figure  I).  Knowing  that  the 
store  has  been  designed  and  built  to  agreed  standards  and  to  satis-  specific  requirements 
provides  a  large  measure  of  this  confidence.  These  requirements  speci-  amongst  other  things 
that  only  propellants  and  explosives  with  acceptable  properties  can  be  used.  A  understanding 
of  how  the  store  is  to  be  handled  is  a  -rther  confidence  builder.  Finally  confirmation  that  the 
all-up  store  is  safe  is  provided  by  a  series  of  munitions  safety  tests  which  provide  a 
comfortable  margin  of  safety. 

This  process  is  a  qualitative  one  but  nevertheless  involves  the  safety  authority  comparing  the 
perceived  confidence  against  a  imaginary  threshold.  Provided  confidence  is  above  this 
threshold  then  stores  will  be  brought  into  service.  If  ever  they  drop  below  the  threshold  then 
they  may  be  withdrawn  until  confidence  is  restored.  By  this  means  the  UK  Navy  have  been 
assured  that  the  weapons  they  carry  will  not  endanger  their  ships. 

Changing  Environment 

However  it  is  not  only  ships  and  their  crew  which  may  be  endangered  by  embarked 
munitions.  When  ships  enter  dockyards  or  come  into  port  then  the  whole  facility  and  possibly 
the  surrounding  area  and  its  population  are  put  at  a  small  but  finite  risk.  The  situation  is 
fiirther  complicated  if  the  facility  has  nuclear  installations  such  as  a  reactor  refit  complex.  In 
the  case  of  an  accident  involving  the  explosion  of  ship's  munitions  these  nuclear  facilities 
could  be  put  at  risk  with  the  eventual  release  of  radioactive  materials  into  the  environment. 

Nuclear  facilities  in  the  UK  whether  military  or  civil  are  careft-lly  regulated.  Pennission  to 
operate  demands  the  nuclear  safety  authorities  being  satisfied  that  operations  are  tolerably 
safe.  The  operator  of  any  nuclear  facility  therefore  has  to  demonstrate  through  a  safety  case 
that  all  possible  accidents  have  been  considered  and  that  those  considered  credible  are  so 
unlikely  that  the  risk  to  the  facility  is  acceptable. 
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In  a  Naval  facility  one  of  these  credible  accidents  is  an  explosion  of  munitions  in  storage  or 
during  handing  operations.  Blast,  fragment,  thermal  radiation  and  debris  damage  may  all 
cause  damage  to  nuclear  installations.  Increasingly  we  in  the  ordnance  safety  community  are 
not  being  asked  for  an  assurance  that  weapons  are  safe  but  for  a  quantitative  assessment  on 
how  safe  they  are. 

Safety  Goals 

Before  considering  how  we  go  about  answering  such  questions  it  worth  examining  how  safe 
do  munitions  need  to  be  and  how  are  the  safety  criteria  are  expressed.  As  a  working 
hypothesis  we  in  the  Navy  department  work  on  the  basis  that  Naval  installations  should  be  no 
more  hazardous  to  people  working  in  them  or  near  to  them  that  corresponding  civil  ones.  In 
other  words  people  should  be  at  no  greater  risk  living  near  a  Naval  base  or  refit  complex  than 
they  would  be  living  near  a  nuclear  power  station  or  petrochemical  works. 

For  such  civil  installations  tolerability  and  acceptance  goals  are  often  expressed  quantitatively 
in  the  form  of  a  graph.  This  shows  the  number  of  people  who  would  be  harmed  annually  by 
an  event  against  the  likelihood  of  an  event  occurring  Figure  2. 

These  show  three  distinct  areas: 

Acceptable 

a)  one  shows  the  acceptable  area  where  the  risks  are  so  low  that  no  fiirther  measures  need  to 
be  taken  to  further  reduce  them.  Typically  individuals  a  willing  to  accept  a  risk  of  being  killed 
by  lightning  of  one  in  a  million  so  any  man  made  risk  which  is  lower  than  this  is  considered 
acceptable.  The  line  which  bounds  this  region  is  the  Basic  Safety  Objective  (BSO). 

Intolerable 

b)  two  shows  the  area  of  intolerability  where  the  risks  are  so  high  that  they  would  be  deemed 
intolerable.  If  the  risk  of  a  nuclear  release  from  power  station  was  this  high  then  the  plant 
would  not  be  allowed  to  operate.  The  line  which  bounds  this  area  is  the  Basic  Safety  Limit 
(BSL). 

ALARP 

c)  the  third  area  lies  in  between.  If  the  risks  lie  in  this  area  then  fiirther  effort  should  be  made 
to  reduce  them  so  that  they  are  as  Low  As  Reasonably  Practicable.  It  would  not  be  considered 
reasonably  practicable  to  spend  millions  of  pounds  or  dollars  to  gain  only  marginal 
improvements  in  safety. 

In  addition  to  these  three  areas  the  criteria  applied  to  members  of  the  public  will  usually  be 
more  rigorous  than  those  applied  to  site  workers.  Furthermore  there  will  often  be  an  aversion 
to  major  accidents  which  affect  a  lot  of  people  at  once. 


These  goals  are  already  acknowledged  in  the  regulation  of  civil  hazardous  facilities  and  are 
increasingly  forming  an  important  basis  forjudging  the  safety  of  Naval  installations. 


Meeting  the  Goals 


Demonstrating  that  the  goals  are  met  will  normally  require  a  thorough  quantitative  risk 
assessment  (QRA)  of  all  the  risks  which  an  installation  or  facility  faces.  In  so  doing  the  main 
factors  which  contribute  to  the  risk  need  to  be  identified.  Each  is  then  allocated  a  share  of  the 
total  site  risk  budget  as  shown  in  Figure  3. 

In  a  hypothetical  case  a  naval  vessel  may  well  be  berthed  in  close  proximity  to  a  nuclear 
installation  such  that  a  weapon  explosion  would  inevitably  lead  to  an  off  site  release  of 
radioactive  material.  If  the  tolerability  of  such  a  release  were  IE-06  per  annum  from  all 
possible  causes  and  weapons  threats  are  allocated  one  tenth  of  the  risk  budget  it  follows  that 
the  tolerability  of  a  weapon  explosion  is  IE-07.  However  if  there  are  many  weapon 
movements  (say  100)  per  year  the  risk  of  a  weapon  accident  per  movement  will  be  IE-09  per 
movement.  Showing  that  the  risk  for  each  weapon  movement  is  beffer  than  one  in  a  thousand 
million  is  a  major  challenge. 

Facing  The  Challenge 

Over  the  past  year  the  UK  munitions  safety  authorities  have  been  endeavouring  to  answer  the 
question  -  how  safe?. 

The  factors  which  provide  confidence  for  safety  assurance  are  also  those  which  need  to  be 
quantified.  The  safety  authorities  need  to  establish  how  safe  is  the  design,  the  explosives,  the 
handling  and  the  weapon.  The  following  examples  illustrate  how  for  a  particular  weapon 
system  the  safety  of  the  design  and  the  weapon  handling  operations  have  been  quantified. 

Design  Safety 

In  one  torpedo  example  the  major  risk  of  a  weapon  explosion  was  ascertained  to  be  the 
undetected  mixing  of  the  fuel  and  oxidant  in  the  propulsion  system.  It  was  therefore  necessary 
to  establish  the  likelihood  of  this  occurring. 

A  joint  team  comprising  the  weapon  designers,  the  MOD  project  manager  and  the  safety 
authorities  examined  all  aspects  of  the  design  to  establish  all  possible  modes  of  failure.  A 
logical  fault  tree  was  agreed  and  drawn  up  with  some  650  events.  The  probabilities  of  these 
events  occurnng  was  established  by  consultation  with  established  data  bases  or  though  expert 
judgement.  A  page  from  the  fault  tree  is  reproduced  at  Figure  4.  It  shows  the  sort  of  events 
which  had  to  be  considered.  By  this  process  the  safety  critical  areas  were  identified  and  the 
design  weaknesses  established. 

The  safety  goal  for  the  design  in  this  case  was  that  there  should  be  three  independent  and 
unlikely  modes  of  failure.  Unlikely  was  defined  as  between  10E-2  and  10E-3  depending  on 
confidence  of  the  results.  This  gives  an  overall  failure  frequency  of  between  10E-6  and  10E-9. 
Although  it  could  be  shown  that  this  overall  figure  could  be  achieved  it  could  not  always  be 
achieved  by  three  independent  failures.  A  major  output  from  the  analysis  was  a  series  of 


recommendations  which  will  restore  the  three  fault  safe  criteria. 


It  was  also  possible  to  demonstrate  in  a  auditable  way  that  the  design  was  tolerably  safe  and 
when  installed  in  a  submarine  created  an  acceptable  risk  to  the  submarine's  crew  propulsion 
plant  and  shore  facilities. 

Handling  Safety 

In  a  second  example  all  up  weapons  tests  were  unable  to  demonstrate  that  a  weapon  would 
behave  in  an  acceptable  way  when  dropped  or  otherwise  mishandled.  In  this  case  the 
quantitative  risk  analysis  concentrated  on  looking  at  all  phases  of  the  weapon's  deployment  to 
acquire  confidence  that  it  would  not  be  dropped  or  mishandled. 

Again  a  joint  team  was  assembled  bringing  together  explosives  experts,  operators,  crane 
experts,  safety  advisors,  designers  and  project  staff  Every  stage  of  the  weapon  system's 
deployment  was  analysed  in  detail.  All  transport,  storage  and  handling  operations  were 
meticulously  analysed.  The  team  witnessed  movements  and  viewed  videos  of  handling.  All 
procedures  and  steps  were  documented  and  for  every  stage  in  the  operation  the  risks  were 
assessed.  Many  hundreds  of  steps  were  identified  and  these  were  brought  together  in  fault 
trees  which  enabled  one  to  identi-  the  safety  critical  activities  and  those  which  had  little 
impact  on  safety.  Figure  5  shows  some  of  the  activities  identified  and  quantified.  In  every 
case  the  source  of  the  data  was  referenced  and  expert  opinion  sought  to  verity  the  figures 
used. 

The  safety  critical  ones  were  analysed  even  more  rigorously  and  in  several  cases  operating 
procedures  and  engineering  modifications  were  introduced  to  provide  adequate  margins  of 
safety.  In  this  case  pessimistic  assumptions  had  to  be  made  about  how  a  weapon  would 
respond  in  an  accident  however  it  was  possible  to  show  that  a  weapon  accident  was  so 
unlikely  as  not  to  hazard  other  facilities. 

Munitions  Tests 

The  two  studies  cited  have  been  undertaken  because  the  traditional  means  of  assessing 
weapon  safety  through  all  up  weapons  testing  have  not  provided  the  required  confidence.  For 
that  reason  even  greater  reliance  has  been  placed  on  demonstrating  that  the  design  is 
intrinsically  safe  and  that  handling  operations  are  sufficiently  safe.  In  these  cases  the 
confidence  level  required  is  not  an  intellectual  one  but  a  numerical  one. 

Traditional  weapons  testing  is  designed  to  provide  confidence  that  in  the  worst  case  scenario 
the  weapon  will  behave  in  an  acceptable  way.  The  40ft  drop  test,  bullet  attack  tests  fast  cook 
off  are  all  intended  as  worst  case  tests.  However  as  we  have  discovered  in  our  spigot  attack 
work  detonations  have  occurred  at  5ft  on  stores  which  have  survived  40ft  drops.  We  have  also 
seen  higher  order  events  when  a  store  is  struck  by  lower  velocity  bullets. 


The  greatest  shortcoming  is  that  they  provide  little  information  which  is  usetul  in  the 
quantitative  assessments.  Knowing  that  one  store  survives  a  40ft  drop  does  not  enable  us  to 
predict  the  likelihood  of  a  detonation  when  it  is  dropped  from  the  back  of  a  truck.  In  part  their 
inadequacy  is  due  to  our  poor  understanding  of  the  mechanisms  involved  and  the  links 
between  all  up  weapon  behaviour  and  small  scale  testing. 

Conclusions 

From  CINOs  experience  over  the  past  few  years  we  have  drawn  the  following  conclusions. 

There  is  an  increasing  and  inescapable  need  to  quantify  the  risks  of  munitions  accidents. 

Where  quantitative  analysis  is  undertaken  on  the  design  and  handling  this  should  be 
conducted  at  the  beginning  of  the  project  rather  than  at  the  end.  At  that  stages  design 
weaknesses  or  shortcomings  in  handling  procedures  can  be  identified  and  rectified. 

The  resources,  skills,  time  and  data  required  to  undertake  an  analysis  should  not  be 
underestimated.  This  is  a  major  undertaking. 

Traditional  munitions  tests  are  unable  to  provide  sound  a  sound  basis  for  quantitative 
assessment.  Furthermore  our  understanding  of  the  mechanisms  leading  to  initiation  in  these 
tests  is  inadequate. 

Recommendations 

An  improved  understanding  needs  to  be  established  on  the  link  between  all  up  weapons  tests 
and  small  scale  predictive  tests. 

Quantitative  data  bases  need  to  be  established  to  support  quantitative  assessments.  Agreed 
methodologies  should  be  established  for  assessing  the  risks  from  weapons.  Quantitative  goals  for 


weapons  safety  should  be  agreed  and  declared  as  a  design  requirement. 
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